Welcome to Health Care POV | sign in | join
The XY Files in an MT World

Indian Business Consultant Says U.S. Largely Responsible For Demand For Black Market Medical Records

Published November 3, 2009 3:23 AM by Jay Vance
Share
reddit Newsvine Del.icio.us Digg
Yahoo! Buzz LinkedIn StumbleUpon Google Bookmarks Mixx

From Na Vijayashankar ("Naavi") at www.naavi.org comes a strong response to the Indian black market medical records scandal in general and the resulting comments by Webmedx CEO Sean Carroll in particular (emphases mine):

"To put the incident in the proper perspective, we can recall the many data breach incidents that have occurred in the U.S. itself, where millions of records have been compromised--some out of financial inducements, many through negligence and many more due to criminals who hack into systems as a profession. IS [information security] is therefore as much an issue in the U.S. as it is in India.

"The reason for increasing data breaches of the kind referred to in the instant case is the growing cyber crime underworld which finds all means of stealing data because there is a market for the same. In the case of health records coming under HIPAA, the beneficiaries are in the U.S. Many of them are the insurance companies who follow unscrupulous methods to obtain data that can be used for marketing. It is therefore the unethical business practices of the U.S. insurance companies that cause a fertile ground for the proliferation of the data breach incidents. Part of the solution therefore lies within the U.S. jurisdiction on how to promote ethical business practices. I would request Sean Carroll to find means of spreading this message in the industry in the U.S."

Naavi further alleges that although Indian business process outsourcing (BPO) firms, including medical transcription service providers, do indeed need to pay more attention to security, the onus is on U.S.-based clients and primary contractors to put pressure on their outsourcing partners to adhere to HIPAA standards:

"On the other hand, I would also request the U.S. companies outsourcing health care business to India to insist that their clients in India must undergo a 'HIPAA-HITECH Compliance Drill.' I have observed that many Indian companies are not aware of their responsibilities. This lack of awareness is also indicative that the U.S. vendors are not driving home the requirement of HIPAA compliance in their SLAs. Perhaps they have exchanged a contract which indirectly talks of an indemnity. This is more a legal formality they have undergone rather than a real effort to educate their counterparts. Let it be one of the HIPAA compliance requirements of the U.S. companies that they have specifically inquired with their Indian counterparts about the HIPAA compliance measures undertaken in India and obtain certifications. Not all these certificates would be reliable, but many would be.

"Many of the HIPAA awareness programmes I have conducted, and audits I have participated in are a result of the initiative of the local companies to improve their competitiveness. This indicates that there is a desire in India for companies to adopt IS standards. Like in every other case of motivation, they perhaps need a little nudging, little coercion and little incentivisation.

"I would request U.S. companies not to treat HIPAA compliance as a paper formality to be completed. Let it be a genuine exercise to promote IS culture. Let the U.S. vendors insist in their business contracts that Indian medical transcription partners must only engage employees who have undergone a 'HIPAA Awareness Training' and send documentary proof for having conducted such programme for their employees. U.S. companies can also devise strategies where they earmark a part of their payments to be released only towards expenses in employee training and other HIPAA initiatives. (Extension of Obama’s strategy of incentivisation of adoption of EHRs by medical practitioners).

"The sting report is therefore a wake up call as much to the U.S. companies as it is to the Indian companies. Let’s work together in the effort to have adequate information security without losing out on the outsourcing advantages."

Clearly the Indian BPO industry is rightfully concerned about the potential fall-out from data breaches of U.S. health information. Time will tell whether or not this blame-the-greedy-Americans strategy is the best way to go about reassuring the U.S. citizenry and regulatory bodies that our medical records are safe in foreign hands.

On the other hand, this blogger does raise some important issues that shouldn't be summarily dismissed merely because of the rather belligerent (not to mention somewhat self-serving) tone in which they are presented. As I have said in the past, many of the concerns regarding the safety of foreign outsourcing of protected health information (PHI) are just as applicable to the domestic outsourcing MT industry that relies heavily on home-based practitioners. It's my firm belief that the increased focus on PHI security as a result of HITECH truly is, as Naavi says, a "wake up call" to the medical transcription industry, both here and abroad. To mix a couple of metaphors, before casting stones at the practice of offshore outsourcing, we'd best make sure the glass-housed domestic MT workforce is without sin as well.

posted by Jay Vance
tags: , , ,

4 comments
add a comment »

@Jay Vance

Yep, I agree that.
Raj November 3, 2009 11:17 PM

Raj and Naavi, first of all, if you read my post you'll see I did NOT dismiss the points Naavi made in his blog post. On the contrary, I said he made some valid points that should NOT be dismissed out of hand. But beyond that, trust me when I say that statements like "you can't blame it on the thieves" aren't doing your cause any favors. I call this a "Yeah, but..." response, as in, "Yeah, these guys were thieves, BUT they're no worse than all the other thieves out there." That's like two drivers who both run a stop sign and kill each other, and then argue over who was the most to blame. The fact is they're both dead.

The point I'm making is that BOTH offshore AND domestic outsourcing are at risk with increased scrutiny post-HITECH. Regardless of who you think is "more to blame" for security breaches, the fact is that ANY health information breach ANYWHERE IN THE WORLD is now going to affect EVERYBODY ELSE in the world.

Jay Vance November 3, 2009 10:18 AM

I think Naavi is driving home a valid point not to be dismissed off just like that.  As long as there are people buying stolen goods and there exists a demand for a commodity in the blackmarket, you can't blame on the thieves.  Plug it at the root than to pass the buck.
Raj November 3, 2009 7:50 AM
IT

I accept the comments as it is presented. Perhaps both of us are trying to achieve the same objective and using the incident to drive home a point to the industry.

My objective in pointing out to the US domestic Cyber Crime syndicate angle is to indicate that as long as there are people who buy stolen goods, there will be thieves and an action plan at the user end is also essential. For example, if an Indian employee has sold the data to an US company, that company should also be adequately penalized for better implementation.

Naavi November 3, 2009 6:24 AM

leave a comment


To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the image, reload the page to generate a new one.

Captcha
Enter the security code below:
 

Search


About this Blog


    Jay Vance, CMT
    Occupation: Medical Transcription Industry Consultant
    Setting: Yuma, AZ
  • About Blog and Author

Keep Me Updated